Greece Data Privacy Laws: GDPR, Law 4624/2019 & HDPA Guide (2026)

Greece protects personal data under the GDPR, supplemented by Law 4624/2019 in force since 28 August 2019, which sets a digital age of consent of 15 and establishes the Hellenic Data Protection Authority. Constitutional protection comes from Article 9A of the Greek Constitution, added in 2001.

Greece occupies a distinctive place in European data protection. It was one of the last EU member states to finalize its GDPR implementing legislation, yet its supervisory authority has built one of the more active enforcement records in the region. The Hellenic Data Protection Authority's track record spans CCTV compliance, biometric surveillance, telecom breaches, and direct marketing -- and its record EUR 20 million fine against Clearview AI remains a landmark in European enforcement history.

At the same time, the Predator spyware scandal revealed a profound tension in the country's privacy landscape: while legal rules are formally strong, political will to enforce them against state-adjacent surveillance has been tested severely. Understanding Greece's data protection system means grasping both the robust formal framework and the real-world governance pressures that shape how it operates.

Quick Answer: Greece Data Privacy at a Glance

Greece's data protection regime rests on three pillars. First, the GDPR applies directly as EU law to all processing of personal data in Greece. Second, Law 4624/2019 supplements the GDPR with national provisions, transposes the Law Enforcement Directive for criminal-justice processing, and establishes the HDPA's organizational structure. Third, the Greek Constitution's Article 9A provides an explicit constitutional right to data protection and mandates an independent supervisory authority.

For most organizations, the practical obligations are GDPR obligations. Law 4624/2019 matters primarily for its national customizations: the digital age of consent (set at 15), criminal penalties for data protection offenses, specific public-sector processing rules, and some sector-specific provisions.

The HDPA enforces all of it. It investigates complaints, conducts audits, issues guidance, and imposes administrative fines. For cross-border cases involving multiple EU member states, the HDPA participates in the European Data Protection Board's (EDPB) one-stop-shop mechanism.

Constitutional Basis: Article 9A

Greece is one of a small number of EU member states to give data protection explicit constitutional recognition. The 2001 constitutional revision added Article 9A, which provides that "all persons have the right to be protected from the collection, processing and use, especially by electronic means, of their personal data, as specified by law."

The same provision mandates that "the protection of personal data is ensured by an independent authority, which is established and operates as specified by law." This language gives the HDPA constitutional status, not merely statutory status. Its independence is protected at the level of fundamental law, making it structurally harder for any government to interfere with or dismantle the authority through ordinary legislation.

Article 9 of the Constitution further protects the inviolability of private and family life, and Article 19 protects the secrecy of correspondence and communications. Article 19(3) contains an explicit exclusionary rule: evidence obtained in violation of Articles 9A or 19 cannot be used in legal proceedings. This means unconstitutionally obtained personal data is inadmissible in Greek courts.

GDPR and Law 4624/2019: The Legal Framework

The GDPR has applied directly in Greece since 25 May 2018. It is the primary source of data protection obligations for organizations handling personal data in Greece. Law 4624/2019 entered into force on 28 August 2019 and exercises the national discretions the GDPR allows member states to take.

Before Law 4624/2019, Greece operated under Law 2472/1997, which implemented the 1995 EU Data Protection Directive. That law was substantially repealed, though some provisions remain in force where they do not conflict with the GDPR.

What Law 4624/2019 Adds

The national law makes choices in several areas where the GDPR gives member states discretion:

Age of digital consent. Greece set the threshold at 15. Children aged 15 and older can independently consent to information society services such as social media platforms. Children under 15 require verifiable parental authorization. This places Greece in the middle range among EU member states.

Criminal penalties. Articles 38-45 of Law 4624/2019 establish criminal liability for data protection violations. Unlawful processing can result in imprisonment of up to one year and fines. Violations involving sensitive data categories, or committed by persons with professional access to data, face steeper penalties of up to two years' imprisonment and higher fines. This criminal overlay supplements the GDPR's administrative fine regime.

Public-sector processing. The law includes detailed provisions on processing by criminal-justice authorities, implementing Directive (EU) 2016/680. Public bodies processing data for law enforcement or national security purposes operate under these provisions rather than the main GDPR track.

Automated individual decisions. Article 52 of Law 4624/2019 reinforces Article 22 GDPR by prohibiting automated decisions that produce adverse legal or similarly significant effects on individuals unless an explicit statutory authorization exists alongside appropriate safeguards. This provision is especially relevant to AI-driven decision-making by public authorities.

Additional breach notification rule. Article 33(5) of the national law provides that notification of a personal data breach to affected data subjects is not required when such notification would require disclosing information that must remain confidential by law or by reason of its nature, unless the data subject's interests override that confidentiality.

The Hellenic Data Protection Authority (HDPA)

The HDPA is Greece's independent supervisory authority for data protection. Established under Article 9A of the Constitution and structured by Law 4624/2019, the authority sits outside the government hierarchy and cannot receive instructions from any state body.

The HDPA is composed of a President and six members appointed for renewable four-year terms. The President must be a senior judge or a professor of law. Members are appointed by the Greek Parliament. The authority is based in Athens.

HDPA Powers

The HDPA holds the full investigative, corrective, and advisory powers specified in Article 58 GDPR. Investigative powers include the right to conduct audits (including remote website audits), access premises, obtain data, and compel controllers and processors to provide information. Corrective powers include issuing warnings, reprimands, orders to comply, processing bans, and administrative fines. Advisory powers include providing opinions on proposed legislation and approving Binding Corporate Rules.

The HDPA also has authority under the ePrivacy Directive's Greek transposition (Law 3471/2006), giving it jurisdiction over cookie compliance and electronic marketing in addition to GDPR enforcement.

One practical point on language: the HDPA expects that DPOs who do not speak Greek will be supported by a Greek-speaking local liaison. This expectation has been communicated informally but influences how the authority handles correspondence and proceedings.

Legal Bases and Consent

Every act of personal data processing in Greece requires a lawful basis under Article 6 GDPR. The six available bases are: (1) the data subject's consent; (2) performance of a contract; (3) compliance with a legal obligation; (4) protection of vital interests; (5) performance of a public task; and (6) legitimate interests of the controller or a third party, except where overridden by the data subject's fundamental rights.

For sensitive (special category) data under Article 9 GDPR, the available bases narrow considerably. Processing requires one of the exceptions listed in Article 9(2): explicit consent, necessity for employment law purposes, protection of vital interests, processing by non-profit bodies for their members, data made manifestly public by the data subject, legal claims, substantial public interest, preventive medicine or occupational health, public health, or archiving, research, and statistics in the public interest.

Consent Requirements

Consent in Greece must meet the GDPR's standard: freely given, specific, informed, and unambiguous. Pre-ticked boxes, silence, and bundled consents do not qualify. Consent to non-essential cookies requires the same standard as consent to any other processing.

For children's services, controllers must make reasonable efforts to verify that parental authorization has been given for users under 15. The GDPR does not specify verification methods, leaving controllers to implement age-appropriate technical measures.

Consent can be withdrawn at any time, and withdrawal must be as easy as giving consent. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal.

Data Subject Rights

Greek data subjects hold the full set of rights under the GDPR:

Right of access (Article 15). Data subjects can request confirmation of whether their data is being processed and, if so, obtain a copy along with information about the purposes, categories of data, recipients, retention periods, and the existence of automated decision-making. The HDPA has actively enforced this right: Decision 1/2025 imposed a EUR 200,000 fine on a bank for systematic failures in responding to access requests.

Right to rectification (Article 16). Data subjects can require correction of inaccurate or incomplete data.

Right to erasure / right to be forgotten (Article 17). Data subjects can request deletion when data is no longer necessary for its original purpose, consent has been withdrawn without another legal basis, an objection to legitimate interest processing has been upheld, data has been unlawfully processed, or erasure is required by law. In Decision 54/2024, the HDPA issued an enforcement order requiring Google to remove search results linking to an individual's personal data.

Right to restriction (Article 18). Data subjects can limit processing to storage only while contesting accuracy, exercising legal claims, or pending a legitimate interest balancing outcome.

Right to data portability (Article 20). Where processing is based on consent or contract and carried out by automated means, data subjects can receive their data in a structured, commonly used, machine-readable format and transfer it to another controller.

Right to object (Article 21). Data subjects can object to processing based on legitimate interests (including profiling) and to direct marketing. Objections to direct marketing must be honored without qualification; other objections require the controller to demonstrate compelling legitimate grounds to continue.

Rights related to automated decisions (Article 22). Data subjects can decline to be subject to solely automated decisions that have legal or similarly significant effects. Law 4624/2019's Article 52 imposes additional national safeguards for automated decisions by public bodies.

Right to withdraw consent. Data subjects can withdraw consent at any time. Exercising this right does not affect the lawfulness of prior processing.

Controllers must respond to requests within one month. In complex cases the deadline can be extended by two additional months, but the data subject must be informed of the extension within the first month. The HDPA has demonstrated willingness to impose substantial fines for systematic delays in responding to access requests.

Data Breach Notification

Greece follows the standard GDPR breach notification framework. Controllers must notify the HDPA within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms. The HDPA accepts breach notifications through its official website.

The notification must include: the nature of the breach, the categories and approximate number of affected data subjects and records, the name and contact details of the DPO or other contact point, the likely consequences of the breach, and the measures taken or proposed to address the breach.

If the 72-hour deadline cannot be met, a partial notification can be submitted with an explanation of the delay. Remaining information can be provided in phases as it becomes available.

When a breach is likely to result in a high risk to affected individuals, the controller must also communicate the breach to those individuals without undue delay. Greek law adds a narrow exception: communication to data subjects is not required when it would require disclosing information that must remain confidential by law or by nature, unless the data subject's interests take precedence.

Processors must notify the controller immediately upon becoming aware of a breach. The controller then assesses risk and determines whether supervisory authority notification is required.

Data Protection Officer (DPO) Requirements

DPO appointments are mandatory in Greece for three categories of organization:

1. Public authorities and bodies (except courts in their judicial capacity).
2. Organizations whose core activities involve regular and systematic large-scale monitoring of data subjects.
3. Organizations whose core activities involve large-scale processing of special category data or criminal-record data.

Voluntary DPO appointments are encouraged and, once made, trigger the same legal obligations as mandatory appointments. The DPO must have expert knowledge of data protection law and practice sufficient to fulfill the tasks assigned by Article 39 GDPR.

Key DPO obligations include informing and advising the controller, monitoring compliance, advising on Data Protection Impact Assessments (DPIAs), cooperating with the HDPA, and acting as the HDPA's primary contact point. The DPO cannot be dismissed or penalized for performing these functions and reports to the highest management level.

DPO contact details must be registered with the HDPA via its online portal or by email. For DPOs who do not speak Greek, the HDPA expects a Greek-speaking local liaison to be designated to facilitate communication with the authority.

ePrivacy and Cookies: Law 3471/2006

Greece's ePrivacy rules derive from Law 3471/2006, which implements the EU ePrivacy Directive (2002/58/EC) as amended by Directive 2009/136/EC (the "Cookie Directive"). Law 4070/2012 updated the framework to incorporate the 2009 amendments.

Cookie Consent

Under Law 3471/2006, cookies and similar tracking technologies may only be installed on a user's device with prior informed consent, except for technically necessary cookies. Consent must meet the full GDPR standard: freely given, specific, informed, and obtained before any non-essential tracking begins.

Strictly necessary cookies are exempt. These include session authentication cookies, load-balancing cookies, user-preference storage cookies, and security cookies essential to the service the user has actively requested. All other cookies, including analytics, advertising, targeting, and social-media tracking cookies, require opt-in consent.

Pre-ticked boxes, continuation of browsing, and inferred acceptance do not constitute valid consent. The HDPA's Recommendations 1/2020 and 2/2020 specify acceptable consent mechanisms and require that privacy notices be visible from all entry points to a website.

The HDPA conducts remote website audits for cookie compliance and has signaled that formal enforcement actions are planned for persistently non-compliant sites.

Electronic Direct Marketing

Law 3471/2006 also governs electronic marketing communications. Unsolicited marketing by email, SMS, or automated calling system is prohibited without prior consent, with one exception: companies may send marketing to existing customers about similar products or services, provided the customer was given an easy, free opt-out at the time of collection and in each subsequent communication.

For telephone marketing, callers must check the opt-out registry at least 30 days before contacting any individual, must identify the controller and processor at the start of the call, and must explain the data subject's rights during the call.

The HDPA has actively enforced these rules. Decision 8/2025 imposed a EUR 45,000 fine on a dating agency for 15 violations of Law 3471/2006's Article 11 for unsolicited SMS marketing. Decision 44/2025 imposed an EUR 80,000 fine on an energy provider for unsolicited promotional calls.

Cross-Border Data Transfers

Greece applies the standard GDPR framework for international transfers. Transfers of personal data outside the European Economic Area require one of three mechanisms:

Adequacy decisions. The European Commission has recognized a number of third countries as providing adequate data protection. Transfers to these countries require no additional safeguards beyond normal GDPR compliance.

Appropriate safeguards. Where no adequacy decision exists, transfers may proceed with appropriate safeguards, most commonly Standard Contractual Clauses (SCCs), which were updated by the European Commission in 2021. Other options include Binding Corporate Rules, approved codes of conduct, and approved certification mechanisms.

Derogations. Article 49 GDPR permits transfers in specific situations: explicit consent, contract performance, important public interest, legal claims, vital interests, and data from a public register. These derogations are narrow and cannot serve as a routine mechanism for systematic transfers.

Following the Schrems II judgment (CJEU Case C-311/18), controllers must assess whether the destination country's surveillance laws and legal framework undermine the protections offered by the safeguards in place. Where risks are identified, supplementary technical or contractual measures are required.

Transfers do not require HDPA authorization, but documentation and record-keeping obligations apply. BCRs require HDPA approval when the HDPA acts as lead supervisory authority. The HDPA has aligned fully with EDPB positions on transfer mechanisms and participates actively in one-stop-shop proceedings.

HDPA Enforcement: Notable Decisions

Clearview AI -- EUR 20 Million (Decision 35/2022)

The HDPA's most significant enforcement action remains its EUR 20 million fine against Clearview AI in July 2022. The case arose from a complaint filed by the civil organization Homo Digitalis representing a Greek data subject.

Clearview AI scraped billions of facial images from the internet to build a commercial biometric facial-recognition database available to law enforcement and private clients. The HDPA found violations of the legality and transparency principles under Articles 5(1)(a) and 6 GDPR, unlawful processing of biometric data under Article 9, and failures regarding transparency information (Article 14), access rights (Article 15), and the obligation to designate an EU representative (Article 27).

The authority ordered Clearview to satisfy the complainant's access request, prohibited Clearview from collecting or processing the personal data of Greek residents through its facial recognition methods, and ordered deletion of all data already collected. The EUR 20 million fine was the maximum available under the GDPR's upper tier and represented the HDPA's record penalty.

COSMOTE and OTE -- EUR 9.25 Million (Decision 4/2022)

In January 2022, the HDPA fined telecom operator COSMOTE EUR 6 million and its parent company OTE EUR 3.25 million following a September 2020 data breach in which a cyberattack using social engineering exfiltrated subscriber call data. The breach affected call detail records for approximately 4.8 million subscribers including rough location data, along with demographic and account information for about 4.2 million customers.

COSMOTE was found to have violated the legality and transparency principles due to inadequate subscriber information, to have conducted a deficient Data Protection Impact Assessment under Article 35, to have failed data protection by design under Article 25(1), and to have maintained inadequate security measures. OTE was fined for inadequate security measures in its infrastructure that was involved in the breach.

Banking Access Failures -- EUR 200,000 (Decision 1/2025)

In early 2025, the HDPA imposed a EUR 200,000 fine and a reprimand on a bank for systematic failures in responding to data subject access requests under Article 15 GDPR. The authority found the bank had not implemented adequate procedures to handle access requests within the required one-month deadline, resulting in repeated violations across multiple data subjects.

Ministry of Migration and Asylum -- EUR 175,000 (Decision 13/2024)

The HDPA fined the Ministry of Migration and Asylum EUR 175,000 for GDPR violations in surveillance systems at border reception and asylum facilities. Violations included processing biometric data without an adequate legal basis, failing to conduct required DPIAs, and entering into deficient data processing agreements with technology vendors. The decision is notable for applying GDPR enforcement to a government ministry and for scrutinizing the use of advanced surveillance technology including CCTV, drones, and AI behavioral analytics at migration facilities.

Political Party Data Processing (Decision 38/2024)

The HDPA fined a political party EUR 30,000 and two party members EUR 10,000 each for unlawful processing of voter personal data, including violations of data subjects' rights. The authority ordered deletion of overseas voter data that had been retained without a valid legal basis.

Energy Sector and Direct Marketing (2025)

Recent 2025 decisions demonstrate the HDPA's continued attention to direct marketing. Decision 44/2025 imposed EUR 80,000 on an energy provider and its call center for unsolicited promotional calls. Decision 42/2025 fined an energy services company EUR 30,000 for denying data subjects' rights of access, rectification, and erasure. Decision 8/2025 fined a dating agency EUR 45,000 for unsolicited SMS marketing campaigns.

Workplace Surveillance (Decision 23/2021)

The HDPA imposed a EUR 15,000 fine for illegal installation of video surveillance cameras in employee offices and a kitchen. The authority reiterated that workplace CCTV cannot be used for performance evaluation, assessment, or training, and that surveillance in rest areas violates employee privacy regardless of any other justification.

Video Surveillance and CCTV: A Detailed Framework

Greece has developed a detailed CCTV enforcement body that reflects the HDPA's active approach to physical surveillance compliance.

CCTV is permitted in privately operated areas accessible to the public when the purpose is to protect persons and property, based on legitimate interests or legal obligation. Key restrictions apply:

Cameras may not be used to monitor employee performance, evaluate productivity, identify training needs, or inform any HR decision. This prohibition is categorical and consistently enforced. Cameras in employee offices, locker rooms, kitchens, and rest areas are unlawful regardless of purpose claimed.

Organizations must conduct a DPIA before deploying large-scale video surveillance. Systems involving AI behavioral analytics, facial recognition, or drone surveillance at migration facilities attract mandatory DPIA requirements regardless of scale.

Signage must clearly inform individuals that surveillance is in operation. Signs must identify the data controller and include contact information. Signage must be visible from all entry points.

Footage retention periods must be proportionate. The HDPA has indicated that retention beyond 15 days requires specific justification. Many organizations limit retention to 7-10 days. Extended retention for incidents under investigation must be documented.

Data subjects have the right to access footage that captures their image within the GDPR's standard access request framework. Organizations that fail to provide footage in response to a valid access request face fines, as demonstrated in the Alpha Bank case (Decision 36/2023, EUR 10,000 for failure to provide CCTV footage promptly).

The Predator / Intellexa Spyware Scandal

No account of Greek data privacy can ignore the Predator spyware scandal, which revealed a severe gap between the country's formal legal protections and the conduct of state-adjacent actors.

The scandal emerged in 2022 when journalist Thanasis Koukakis discovered his phone had been infected with Predator spyware and that he had been wiretapped by the Greek National Intelligence Service. Shortly afterward, Nikos Androulakis, then leader of the opposition PASOK-KINAL party and a Member of the European Parliament, discovered his phone had also been targeted with Predator.

Subsequent investigations by Amnesty International's Security Lab, the European Parliament's PEGA Committee, and Greek investigative media identified at least 87 verified victims, including journalists, politicians, military officials, business figures, and civil society members.

Predator was developed and distributed by Intellexa, a company founded by Tal Dilian, a former Israeli military intelligence officer. In 2024, the U.S. Treasury Department sanctioned Intellexa and several of its principals for developing and distributing commercial spyware used to target journalists, government officials, and others.

On 26 February 2026, an Athens court sentenced four individuals -- Tal Dilian, his business partner Sara Hamou, former deputy administrator Felix Bitzios, and Yiannis Lavranos (through whose company Kriel the spyware was allegedly procured) -- to 8-year prison terms (the maximum for misdemeanor charges). The court also ordered further prosecutions.

For data protection practitioners, the Predator scandal illustrates both the importance of robust legal frameworks and their limits when surveillance capabilities outpace institutional willingness to apply them. ADAE, the communications privacy watchdog, documented the surveillance but faced political resistance in pursuing accountability. The HDPA's jurisdiction extends to the data protection aspects of surveillance but does not reach signals intelligence or covert interception, which fall to ADAE and the courts.

EU AI Act Interaction with Greek Data Protection

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024. Its application in Greece follows the EU-wide timeline: provisions on prohibited AI practices and AI literacy applied from 2 February 2025, general-purpose AI model obligations from 2 August 2025, and high-risk AI system requirements from 2 August 2026.

The AI Act does not displace GDPR; both apply in parallel. AI systems that process personal data must comply with both regulatory regimes simultaneously.

Prohibited AI practices. From 2 February 2025, the AI Act prohibits certain uses of AI outright: real-time remote biometric identification in publicly accessible spaces (with narrow law-enforcement exceptions), AI systems that exploit vulnerabilities or manipulate behavior, social scoring by public authorities, and untargeted scraping of facial images from the internet or CCTV to build facial recognition databases. The last prohibition is directly relevant to the Clearview AI model of operation and would now attract AI Act penalties as well as GDPR fines -- up to EUR 35 million or 7% of global annual turnover.

High-risk AI systems. From August 2026, AI systems used in law enforcement, border management, employment, education, and critical infrastructure must comply with conformity assessment requirements, data governance standards, transparency obligations, and human oversight requirements before deployment.

HDPA's AI role. The HDPA has designated responsibilities for AI-related data protection oversight, particularly for Article 22 GDPR automated decision-making, mandatory DPIAs for large-scale profiling AI systems, and AI transparency obligations. Greece has also designated national competent authorities through the Hellenic Ministry of Digital Governance's catalogue of oversight bodies published in 2025.

Greek Law 4961/2022. Preceding the AI Act, this national law on emerging ICT technologies requires public bodies using AI for decisions affecting citizens to conduct DPIAs and provide transparency about algorithmic decision-making parameters. It remains in force alongside the AI Act.

Recent Developments (2024-2026)

Several legislative and regulatory developments have shaped Greece's data protection landscape in the past two years.

Law 5099/2024 incorporated the Digital Services Act into Greek law and designated the HDPA as the competent authority for DSA oversight, expanding its jurisdictional scope beyond traditional data protection into online platform content and algorithmic transparency.

Law 5160/2024 implemented the NIS2 cybersecurity directive, establishing enhanced security obligations for operators of essential and important entities across energy, transport, financial, health, digital infrastructure, and public administration sectors. NIS2 obligations interact directly with GDPR security requirements under Article 32.

Law 5169/2025 ratified the Council of Europe's amending protocol to Convention 108 on automatic processing of personal data, bringing Greece into alignment with the modernized international data protection convention framework.

EHDS Regulation (2025/327) entered into force in March 2025 and establishes an EU-wide framework for electronic health records and secondary use of health data for research. Greek healthcare organizations will need to adapt their data governance frameworks accordingly.

EU AI Act rollout. The phased application of the AI Act is the most significant 2025-2026 regulatory development. Organizations in Greece deploying AI systems should be auditing their systems now against the prohibited-practice categories and preparing for the August 2026 high-risk AI requirements.

Business Compliance: Practical Priorities

Organizations operating in Greece should prioritize the following compliance areas based on the HDPA's demonstrated enforcement patterns:

CCTV and video surveillance. This is the area of highest enforcement risk for physical businesses. Ensure all camera systems are supported by a DPIA, that signage meets HDPA requirements (visible from all entry points, identifying the controller), that retention periods are documented and limited (no more than 15 days without specific justification), and that procedures exist to respond to footage access requests. Employee monitoring for performance purposes is categorically prohibited.

Data subject access requests. The HDPA has imposed EUR 200,000 for systematic failures in this area. Build a process that reliably delivers responses within one month, log all requests and responses, and train relevant staff. Ensure the process covers all data types, including CCTV footage.

Cookie compliance. The HDPA conducts remote website audits. Audit your cookie banner against the standard: no pre-ticked boxes, no dark patterns, a genuine reject option that is as prominent as the accept option, and consent withdrawal that is as easy as consent giving.

Direct marketing. Check every outbound marketing channel against Law 3471/2006. Email marketing to non-customers requires prior consent. Telephone marketing requires opt-out registry compliance at least 30 days in advance. SMS marketing without consent has attracted fines in the EUR 45,000-80,000 range.

Data breach readiness. The 72-hour notification clock starts when the controller becomes aware of the breach, not when investigation is complete. Maintain a breach response procedure with pre-identified HDPA notification contacts and a breach log.

DPO appointment. If mandatory appointment criteria are met, appoint a DPO, register contact details with the HDPA, and ensure the DPO has sufficient resources and organizational independence. For non-Greek-speaking DPOs, designate a Greek-speaking liaison.

AI systems. For any AI system that makes automated decisions with significant effects, document the Article 22 legal basis, conduct a DPIA, and implement human oversight mechanisms. From August 2026, high-risk AI systems will require full AI Act conformity assessment before deployment.

For information on how recording laws intersect with privacy in Greece, see our guide to Greece recording laws. For the broader EU framework governing Greece, see our EU data privacy laws guide.

Disclaimer: This article provides general information about Greece's data privacy laws and is not legal advice. Data protection law changes frequently. Consult a qualified attorney licensed in Greece for guidance on your specific situation.